T 2.106 Disturbance to business processes as a result of security incidents

Security incidents can be triggered by a singular event or a chain of unfortunate circumstances and can have a negative impact on the confidentiality, integrity, or availability of information and IT systems. This will then quickly have an adverse effect on essential specialised tasks and business processes in the corresponding organisation. Even if most of the security incidents do not become public, the incidents that do become public can still have a negative impact on the organisation's relationships with business partners and customers. It is not even true that the most serious and most extensive security incidents are triggered by the most serious security vulnerabilities. In many cases, a chain reaction of minor factors will lead to the most extensive damage.

Examples:

• A computer problem made it impossible for the machines of two airline companies to take off from any airport in the USA for more than two hours. The problem was caused by a malfunction in a database that continuously provided information on pending flights. As a result, hundreds of flights could not start as scheduled, and there were subsequently massive delays that affected several thousand passengers.
• A lack of plausibility checks will frequently cause minor errors in the data entered by users to have a serious impact. At the London stock exchange, for example, the FTSE index dropped by 200 points after a broker accidentally entered one zero too many in an order.
  
  At a hotel chain, a user forgot to enter one zero in an entry in the hotel's price database, which then resulted in the hotel chain offering luxury apartments in the South Pacific for one tenth of the actual price.
• The network a large company was unavailable for more than 16 hours after the installation of a software update failed. As a result, 5000 employees were not able to perform their normal tasks and 1700 customer requests could not be processed. Important deadlines were missed as a consequence. In addition to the already high load on the administration, an additional 6000 requests were sent to the User Support department as well.